Your message dated Tue, 12 Jun 2018 22:03:57 +0000 with message-id <e1fsrop-0008zv...@fasolo.debian.org> and subject line Bug#895778: fixed in jruby 1.7.26-1+deb9u1 has caused the Debian Bug report #895778, regarding jruby: Several security vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895778: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: jruby X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for jruby. Apparently rubygems is embedded into jruby which makes it vulnerable to. CVE-2018-1000079[0]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Directory Traversal vulnerability in gem installation that can result | in the gem could write to arbitrary filesystem locations during | installation. This attack appear to be exploitable via the victim must | install a malicious gem. This vulnerability appears to have been fixed | in 2.7.6. CVE-2018-1000078[1]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Cross Site Scripting (XSS) vulnerability in gem server display of | homepage attribute that can result in XSS. This attack appear to be | exploitable via the victim must browse to a malicious gem on a | vulnerable gem server. This vulnerability appears to have been fixed | in 2.7.6. CVE-2018-1000077[2]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Improper Input Validation vulnerability in ruby gems specification | homepage attribute that can result in a malicious gem could set an | invalid homepage URL. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-1000076[3]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Improper Verification of Cryptographic Signature vulnerability in | package.rb that can result in a mis-signed gem could be installed, as | the tarball would contain multiple gem signatures.. This vulnerability | appears to have been fixed in 2.7.6. CVE-2018-1000075[4]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | infinite loop caused by negative size vulnerability in ruby gem | package tar header that can result in a negative size could cause an | infinite loop.. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-1000074[5]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Deserialization of Untrusted Data vulnerability in owner command that | can result in code execution. This attack appear to be exploitable via | victim must run the `gem owner` command on a gem with a specially | crafted YAML file. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-1000073[6]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Directory Traversal vulnerability in install_location function of | package.rb that can result in path traversal when writing to a | symlinked basedir outside of the root. This vulnerability appears to | have been fixed in 2.7.6. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000079 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079 [1] https://security-tracker.debian.org/tracker/CVE-2018-1000078 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078 [2] https://security-tracker.debian.org/tracker/CVE-2018-1000077 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077 [3] https://security-tracker.debian.org/tracker/CVE-2018-1000076 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076 [4] https://security-tracker.debian.org/tracker/CVE-2018-1000075 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075 [5] https://security-tracker.debian.org/tracker/CVE-2018-1000074 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074 [6] https://security-tracker.debian.org/tracker/CVE-2018-1000073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073 Please adjust the affected versions in the BTS as needed. Regards, Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: jruby Source-Version: 1.7.26-1+deb9u1 We believe that the bug you reported is fixed in the latest version of jruby, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jruby package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 29 Apr 2018 22:24:33 +0200 Source: jruby Binary: jruby Architecture: source all Version: 1.7.26-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: jruby - 100% pure-Java implementation of Ruby Closes: 895778 Changes: jruby (1.7.26-1+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2018-1000073: Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. * Fix CVE-2018-1000074: possible Unsafe Object Deserialization Vulnerability in gem owner. * Fix CVE-2018-1000075: Strictly interpret octal fields in tar headers to avoid infinite loop * Fix CVE-2018-1000076: Raise a security error when there are duplicate files in a package * Fix CVE-2018-1000077: Enforce URL validation on spec homepage attribute. * Fix CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. * Fix CVE-2018-1000079: Directory Traversal vulnerability in gem installation that can result in writing to arbitrary filesystem locations during installation of malicious gems. (Closes: #895778) Checksums-Sha1: 77a1a63dbd114dc1889acfc4f70629f3a0b78e8b 3212 jruby_1.7.26-1+deb9u1.dsc e1a304da12f6cc5db9d2a9a6f6f885c82b568bed 10228992 jruby_1.7.26.orig.tar.gz aeb515f6e7112b82ab19f0e7eb08494d492f6622 92000 jruby_1.7.26-1+deb9u1.debian.tar.xz 6b19ad31fa00fe64a865a0fbb3c841df27e93509 49204708 jruby_1.7.26-1+deb9u1_all.deb 3760127488659ec0ac376f5093858c3b0bef0c1b 17605 jruby_1.7.26-1+deb9u1_amd64.buildinfo Checksums-Sha256: ec52c2bb87310172b117dcc67d43f858bf56b481d14f2a91556d58c97da87308 3212 jruby_1.7.26-1+deb9u1.dsc 37bfdbf6bbf1fba7d1976d381517e86506790bd8f4a43a870c1e76de29b082ad 10228992 jruby_1.7.26.orig.tar.gz c9f823ac388e1cd0b22ea3d22bc7cbfaf722632d9c05dbb26fa4e39fc1e16874 92000 jruby_1.7.26-1+deb9u1.debian.tar.xz 7c5196fa3dc7a4287e9e0ecdc23db16d45512dc5f788eec3e5d17b6743f89f75 49204708 jruby_1.7.26-1+deb9u1_all.deb e3f45ef92ba375652cd47450642ef613eadb79c4ba23ee706ee7778b263d1ebf 17605 jruby_1.7.26-1+deb9u1_amd64.buildinfo Files: 40fdd7260a9af15595a0a7f8efdb5b92 3212 ruby optional jruby_1.7.26-1+deb9u1.dsc c8d965f03ebb9b97e168bc40d81a9b91 10228992 ruby optional jruby_1.7.26.orig.tar.gz f491676ad338441619efe57c7de067d8 92000 ruby optional jruby_1.7.26-1+deb9u1.debian.tar.xz 29843476714c9158a6e0b57c087d30a5 49204708 ruby optional jruby_1.7.26-1+deb9u1_all.deb 9dd3df6943fc4809566218bd2176602b 17605 ruby optional jruby_1.7.26-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsXtG9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkYpYP/0hShTSlDpIbfV3WC0xwcDoksiCq+erc6WlM WvoaP4v4G5638qKlav703iqRvxHjTuqCF5vSIvKIZtA83XlVkKtAviFrH6TE+lBF UxJ7SZ/If/HqySs09TF4vmKzxBwtmnjpXsIqjKCVavMo7gT4IV5q4KqHkEOaQTlo XbG1/vDNW+Wjtn89qPfBDtSGksRVhtZuS5OX4ceDn5ApqP4s+oy4F8xEnbS8Vu/1 VOYJy77G5wLFEsQKP7tvk0D/ptnQ+Z2+lNwQxDhtdOWsGyjLMaWGTppPXJEiAyMC O3+j5rKWKMc3o/qqN5GZsRpYA1ZxBBBVEECYvX/ocmohPaYqE9HQQbTaIvNmrVKF vyb13XBky9GGRJNyZ6so62t5UdkYsEJm/g0jkMWucx+0aOGhSFKhy3CumTt8S1L/ hcVNSKw2adSqwJL4buMJYYltV5Nt64xzFXyjy1C7youhd1Urw//ZiYdH/y5EvkwC nRJRqkE1IHHjD4K9eH5PUDhPo99/6UR8bmYrobgRvXq+JIXanyxRDfa+vxDVBQIl SmZA+ARLRKF27eGAtK3pVTmaeHBuT5QXo1yZJLry8lLXbSKAGmve6zjT9TXN+an9 7VF0kdE06m3fwsSo2ktPihwv92O0wxUgaLF5h631WEAKaS9V/CcOq48ePRUGJ2g+ B2Ide6eE =BK+l -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
